How To Build The Most Secure CMS For Your Website

By Pete Czech

How To Build The Most Secure CMS For Your Websitehttps://www.npgroup.net/blog/how-to-build-the-most-secure-cms-for-your-website/New Possibilities Group2016-11-08

Many customers planning their next website design and development project are approaching us with concerns about security.

Either through experience or research, website owners are acknowledging that many off-the-shelf CMS platforms are more vulnerable to attacks by malicious scripts, bots, or foreign actors as opposed to custom CMS solutions.

Without getting too far off the topic at hand, the CMS landscape today includes a plethora of different platforms. As those platforms expand in their install base, they become more and more likely targets for hackers and other nefarious characters who will, for a variety of reasons, attempt to access and manipulate websites.

This causes a continuous cycle of upgrades and updates, which are difficult to keep up with and in many cases can cause instability if the site is heavily reliant on plug-ins or other customizations. This vicious cycle drives marketers crazy, as they have to constantly reinvest dollars to their website’s technology instead of spending it on other more worthwhile pursuits.

Before we get into some tactics for securing your CMS installation, first we should focus on exactly who should be the most concerned about security. We often see corporations or enterprises that are focused in the security (IT or similar) and financial or other highly sensitive areas that also have a marketing team in place.

These companies are often restricted from using the common off-the-shelf platforms, yet require the capabilities to manage their website utilizing the latest and greatest marketing techniques, such as content marketing. These companies oftentimes will seek out customized approaches to bridging the gap between corporate security policies and the creativity and freedom their marketing team requires.

Another instance is with customized ecommerce, especially with highly specialized or high-priced items. Many off-the-shelf ecommerce systems are aimed at merchants with a large inventory and limited product options. Organizations with complex ecommerce oftentimes seek out customized solutions as opposed to making significant changes to available platforms which later on will affect the upgradeability, or safety and security, of the platform.

So, assuming you require such peace of mind, how do you ensure your site is built on the most secure CMS framework? Here are a couple of strategies that we’ve utilized in the past which have solved the problems clients have approached us with:

Get Below The Radar

As mentioned earlier, the fact that so many websites are utilizing the same platforms have spawned an era of automated systems, bots, and spiders that are looking for vulnerabilities with existing CMS platforms. This can easily be addressed by simply flying under the radar, or making it more difficult to determine what platform you are on.

Obviously this is much easier to do if you have a customized platform or a proprietary system. These installations rarely worry about the automated bots since they are less attractive targets.

However, if your site runs on an off-the-shelf platform like WordPress or Drupal this becomes more difficult and even more necessary. Work with your development team to take the necessary steps to hide your platform from plain view. Having a level of anonymity will help reduce the stress of not knowing when your next breach may be.

Decoupled Vs. Coupled

Decoupling your CMS is one of the best ways to ensure that you have the most secure CMS possible. In a nutshell, decoupling your content management system from the user experience or front end means you are creating two unique nodes that are operating separately, yet communicating via secure methods.

In terms of overall security, this makes a lot of sense since having your management portal in one location enables you to lock it down from the rest of the world while maintaining a public presence for users to consume content. The admin portal is essentially the most important part of your framework when it comes to affecting the look, feel, and content of your website.

In this way, it makes total sense that this area is locked away in a safe, secure place without the ability of third parties to attempt to compromise the system.

Most CMS platforms today are coupled, or integrated. Systems such as Drupal, WordPress, Joomla, Sitecore – they all tightly integrate the administrative portal with the front end so that it is hard to separate them enough to ensure safety and security. The next generation of CMS platforms will focus on decoupling for a variety of reasons, with security being just one. Other reasons are additional distribution channels and longevity.

An analogy to explain coupled versus decoupled could be your bank accounts. If you had $1000 you wanted to save, you could easily put it in a cashbox or safe in your house. But if your house was (god forbid!) robbed or compromised, the perpetrators could easily grab the safe as well. However, if you decoupled your money from your house by placing it in the bank, where there is a focus on security and many levels of protection in place, there is a much lower chance of losing your money.

Static Site Publishing

One methodology which is decidedly low-tech (but high-tech to implement), is the idea of publishing your website files in a static manner. This means, instead of having each webpage make calls to a database to populate the pages, the static .html pages exist on a web server, or even better, a CDN or similar service.

Why do this? Simply because it removes any possibility of your site being compromised via mechanisms such as SQL injections, scripting language vulnerabilities or similar. Simple HTML pages can live on a CDN account which would mean you are instantly scaled, load balanced and optimized for speedy delivery around the world.

Interactive pieces such as forms can be handled via embeds with your marketing automation software or via front-end API connectivity. This method actually provides you with the ultimate amount of comfort if security is your number one concern.

This also works very well when put together with a decoupled CMS. You can use your CMS to add, edit, delete, and organize content just like you always do. But instead of the changes happening live, you can then “publish” them from your CMS platform direct to their final destination.

In this scenario, your staging site would behave similar to a normal database-driven site, allowing you to preview your changes in real-time in a secure environment before eventually deploying the static files.

Admin Portal Lock Down

Another way to build the most secure CMS platform for your company is to lock down the admin portal as much as possible. In the event that decoupling your platform isn’t feasible, you should take as many steps as you can to create difficulty in finding your CMS admin panel login page.

Many off-the-shelf platforms all share the same system making it easy to figure out where these pages live. And even worse, we see cases where websites are compromised because of shoddy password creation or forced entry.

There are a variety of tactics site administrators can take which are relatively easy to lock down these portions of your website. One possibility is restricting those paths to certain IP addresses. You can do this simply with web servers such as Apache or IIS. Another is to rename the administrative pathway to something a bit less predictable.

Sometimes simple changes are all you need to persuade the less skilled hacker, or the automated bots to move onwards to an easier target.

In Conclusion: Plan, Prepare, And Secure

The most secure CMS is the one where the webmaster or site owner has planned for the worst and prepared for it. Utilizing the above tactics can help secure your CMS above and beyond the vast majority of sites on the internet.

Remember, your website is a preview of what it is like to work with your company. If a potential or existing customers see a site that is hacked, or even worse get infected themselves, your company credibility will be lost forever. In the case of the latter, you may even become liable. Take security seriously, and you will avoid many untimely emergencies.